The HIPAA Implementation Newsletter Issue #41 - Friday, Sept. 9, 2002 --- Online Security

Online Security, a global provider of computer forensics and information technology risk mitigation since 1997

Go back

The HIPAA Implementation Newsletter Issue #41 - Friday, Sept. 9, 2002

The HIPAA Implementation Newsletter Issue #41 - Friday, Sept. 9, 2002
Posted: Sep 09 2002
Hal Amens

| Late Start | Internet | I.T. | PKI

Status: Transaction Extension

“As of Aug. 26, some 89,375 health care entities have filed for a one-year extension to meet requirements under the HIPAA transactions and code sets rule, according to the Department of Health and Human Services. Because physician group practices can file one extension application on behalf of all physicians in the group, the number of covered entities that have received extensions is somewhat higher than the announced figure. Still, that’s a relatively small number, considering that HHS estimates around 2 million covered entities could be eligible for the extension.

“The transactions rule has a compliance date of Oct. 16, 2002. Congress last year enacted the Administrative Simplification Compliance Act to extend the deadline by a year, but only to covered entities that submit an application, called a compliance plan, to HHS by Oct. 15, 2002.”

www.healthdatamanagement.com

Jump Start a Late Start

The above article and the fact that we, and several of our associates, have recently received requests for proposals from organizations that are at or near square one suggests that there are a large number of organizations that haven’t started or haven’t made much progress. We doubt that any of the readers of this newsletter are sill at square one, but in case you are, or if you know someone who is, or if there is a part of your plan that is falling behind, read on.

When there was two years between your organization and the first compliance deadline, there was time to apply traditional remediation processes. Now there is about seven months to the privacy deadline and the transaction-testing deadline. If you haven’t started yet or are falling behind, it is time to look for creative solutions. We offer the following:

1. Focus on privacy. This can be an iceberg in terms of the apparent and actual staff hours and calendar time required to develop, review, implement and train everyone affected.

2. Be certain your system vendor will be ready to test in April 2003. If there is any doubt, start working on a contingency plan. See Issue #38.

3. How much time does your staff have to work on HIPAA and still get their job done? Most organizations are very lean. Be realistic.

4. How much time will HIPAA take? If you don’t have the answers to these two questions, or if the answer to #3 is smaller than #4, start looking for outside help.

5. If you plan to hire a consultant, define what you want them to do in terms consistent with the HIPAA regulations. We recently received an RFP that dealt with transactions and code sets in a way that would have left significant work undone.

6. If you have started, tell the consultant what you have done and what you expect them to do: Use what you have done? (That may be risky for you and the consultant.) Review what you have done and use as much as possible? (Usually the best solution.)

7. Rely on the consultant to propose how to do it. Each consultant brings their own experience, processes and tools. Evaluate what they propose and don’t hire them unless you are comfortable with their way of dealing with your requirements.

8. Consider multiple consultants for different requirements, e.g., transactions, system security, physical security, privacy policies and procedures. You can get started faster on the highest priority issues and it will probably be easier to find companies with more limited areas of expertise. On the other hand, you will have to manage all of them to assure there are no gaps or failed interfaces.

9. Require communication about plans and progress. Early in the project, require a project plan that defines dates andd deliverables that can be evaluated in terms of timeliness, effectiveness, and quality. Measure progress in terms of deliverables. Don’t rely too heavily on status reports. How do you know something is 90% complete? There are thousands of stories about projects where it took 90% of the project time and budget to complete the last 10%.

Model Guidelines for Internet

The Federation of State Medical Boards has issued Model Guidelines For The Appropriate Use Of The Internet In Medical Practice. This provides useful standards and topics to be addressed in the design of a Web site and the use of email.

“The (name of board) recognizes that the Internet offers potential benefits in the provision of medical care. The appropriate application of this technology can enhance medical care by facilitating communication with physicians and other health care providers, refilling prescriptions, obtaining laboratory results, scheduling appointments, monitoring chronic conditions, providing health care information and clarifying medical advice. However, it is the expectation of the Board that e-mail and other electronic communications and interactions between the physician and patient should supplement and enhance, but not replace, crucial interpersonal interactions that create the very basis of the physician-patient relationship.

“The Board has developed these guidelines to educate licensees as to the appropriate use of the Internet in medical practice. The (name of board) is committed to assuring patient access to the convenience and benefits afforded by the Internet while promoting the responsible practice of medicine by physicians.”

www.fsmb.org

Payers Web Sites

“Health care payers have significantly increased interactive services on their Web sites, according to a survey from Cap Gemini Ernst & Young, a New York-based consulting firm. The firm reviewed 78 payer Web sites between November 2001 and January 2002 and interviewed 20 webmasters.

“Some 31% of surveyed payer Web sites enable consumers to file claims online compared with 4% in Cap Gemini's previous survey last summer. Web sites enabling consumers to track a claim online more than doubled, to 59%.

“Payers also have boosted interactive services to providers, according to survey results. Some 56% of surveyed sites give access to clinical guidelines, more than twice the number in the summer survey. Another 53% of sites enable providers to file claims online, compared with 26% in the previous survey; and 63% offer claims tracking, versus 32% previously.”

www.heathdatamanagement.com

I.T. Boosts Clinical Care Quality

“ A free report from the California HealthCare Foundation examines how available information technology can improve the quality of clinical care in physician offices. First Consulting Group Inc., Long Beach, Calif., wrote the report on behalf of the foundation. It is the latest report in a series the foundation has commissioned to examine various health care I.T. issues.

The report, “Crossing the Chasm with Information Technology: Bridging the Quality Gap in Health Care,” shows how I.T. can support the goals of the Institute of Medicine’s 2001 report, “Crossing the Quality Chasm.” The report was the follow-up to a blockbuster 1999 report that unveiled the scope of medical errors in the health care industry.

The foundation’s new report discusses I.T. applications that support patient empowerment, making the care system safe and reliable, care relationships beyond the encounter, and public accountability for quality. It also addresses challenges associated with introducing new technologies into an organization.

www.heathdatamanagement.com
PKI: Failed Promise

At first glance, PKI looks like the perfect solution to online security. Why isn’t it the universal solution? A recent article in CIO magazine provides one point of view:

“If you think it seems naive to summarily dismiss an entire platform, I would agree. Writing its obit wasn't my idea. It was inspired by a leading PKI vendor.

“Before we get to that, let's step back. As complex as Public Key Infrastructure is, the theory is sound. Crudely, it's customs for Internet transactions. The ‘passports’ are digital certificates. A trusted third party, a Certificate Authority, publishes half of that passport as a public key. You keep the other half, the private key. To make a transaction, match the private and public keys. When it works, PKI really works.

“It's just that it rarely works. ‘Experts say the promise of PKI is real but that challenges remain.’ This was from a news item last week, but it might as well have been from 1997. The truth is, PKI is terminally promising. Every year since 1997 has been the ‘year of PKI.’ It has been called a ‘silver bullet’ and a ‘guarantee’ for secure online commerce. In 1997 it was called ‘high-tech bug spray’ to stop ‘viral warfare.’ When that didn't work, it became the safest way to shop online in 1999. When that didn't work, it became perfect for the wireless market in 2000. PKI is always just about to revolutionize electronic transactions somewhere.

“It never does. For two reasons.

“First, vendors, in typically greedy fashion, refused to create standards, so that as recently as last week, an engineer was wondering why one vendor's digital certificates crashed another vendor's e-mail program. Second, vendors, in typically greedy fashion, skewed the business model for PKI to generate large chunks of revenue up front, before the systems even worked, by making CIOs buy stockpiles of digital certificates—something like a camera company making you buy 1,000 rolls of film before you get a camera.

“So while the concept behind PKI was appealing, everything else about it was shoddy. Vendors approached PKI arrogantly and CIOs approached it ignorantly. This worked during the bubble years because everyone could afford their respective approach. PKI was the prototypical Internet boom technology.

“Then the boom ended. CIOs’ sudden necessity to think before they spent meant PKI went from a weak blip on radar screens to no blip at all. The spending crash didn't just humble PKI vendors, it humiliated them. They reported massive losses and layoffs. They couldn't sell a cup of coffee, let alone a technology platform that was so complex you needed a glossary to navigate its arcana.

“Entrust is the PKI vendor that suggested PKI has gone flatline, when they visited us here at CIO. This doesn't mean Entrust is going away, or that the company doesn't have a a viable business. What the executives meant was that the business model has changed so radically for digital certificates that—while some of the backend technology remains the same—the term PKI is no longer useful. ... Repositioning usually equals desperation. So I'm staying bearish on PKI, or whatever the vendors call it now.”

www2.cio.com

Updates

HIPAA DocAssistant, a tool to guide physicians with surveys, gap analysis and risk assessment, mitigation tracking, and due diligence recording and documentation, has been added to the Tools page. http://lpf.com/hipaa/tools.html#blass-tools

HIPAA Conferences

The HIPAA Colloquium at Harvard University, August 19 - 23, 2002 in Cambridge, MA, The HIPAA Colloquium is well known for it intensity and advanced approach. … this summer's Colloquium focuses on practical workshops to assist organizations in meeting HIPAA compliance deadlines. The Colloquium is also offering special registration rates for groups of three or more from an organization's HIPAA compliance team.

www.HIPAAColloquium.com

The fifth National HIPAA Summit, October 30 - November 1, 2002 in Baltimore, MD, www.HIPAASummit.com

Go Top